Friday, May 31, 2013

Critique of IP Commission's Cyber Security Recommendations

The National Bureau of Asian Research published (and assisted in writing) "The IP Commission Report: The report of the Commission on the theft of American intellectual property" (.pdf). The Commission members along with its purposes are as follows:
  • Dennis C. Blair (co-chair), former Director of National Intelligence and Commander in Chief of the U.S. Pacific Command 
  • Jon M. Huntsman, Jr. (co-chair), former Ambassador to China, Governor of the state of Utah, and Deputy U.S. Trade Representative 
  • Craig R. Barrett, former Chairman and CEO of Intel Corporation 
  • Slade Gorton, former U.S. Senator from the state of Washington, Washington Attorney General, and member of the 9-11 Commission 
  • William J. Lynn III, CEO of DRS Technologies and former Deputy Secretary of Defense 
  • Deborah Wince-Smith, President and CEO of the Council on Competitiveness 
  • Michael K. Young, President of the University of Washington and former Deputy Under Secretary of State 
The three purposes of the Commission are to:
  • Document and assess the causes, scale, and other major dimensions of international intellectual property theft as they affect the United States 
  • Document and assess the role of China in international intellectual property theft 
  • Propose appropriate U.S. policy responses that would mitigate ongoing and future damage and obtain greater enforcement of intellectual property rights by China and other infringers 
IP and trade secret theft is a rapidly growing and very critical problem for U.S. companies. The IP Commission estimates the value of stolen IP from U.S. companies and government agencies at over $300 billion, which is about 75% of what the U.S. spends on R&D research each year.

While the report takes a deep and heavily annotated dive into the scale and scope of this problem, chapters 13 and 14 that detail the Commission's cyber security recommendations, have absolutely no footnotes whatsoever. In other words, there's no way to know who provided the commission with some very risky and questionable cyber security advice. So I called them.

I was told by the person who took my call that the cyber security experts wanted to remain anonymous, however she recommended that I speak with someone at the NBR. I sent a message via the NBR's information email account, read receipt requested, and watched it work its way up to Roy Kamphausen who confirmed that they spoke with "a wide array of cyber experts" but didn't mention any names.

Unfortunately, while much of the report is quite good, the cyber security advice ranges from problematic to potentially damaging. Here's my critique of that content. I'd be happy to debate it with anyone that the Commission spoke with.
  1. No where in this report is mentioned the critical importance of first identifying a company's critical data or "crown jewels". It's a huge problem because most companies have no idea how to do this and the Commission never once mentions it.
  2. Locking down a person's computer with a booby-trapped file has questionable legality but even worse, may result in the threat actor coming back to take more aggressive action against the targeted company. Remember Saudi Aramco? SA had to replace 2,000 servers thanks to a Wiper virus that only half worked due to some amateur coding mistakes. Remember HBGary Federal when its CEO threatened to "out" some members of Anonymous? There is no more HBGary Federal but Anonymous is alive and well. 
  3. Recommending the passage of CISPA is both bad security advice and inserts a political agenda to an otherwise apolitical report.  
  4. Threat-based deterrence is advocated for without being adequately defined. There are numerous ways that such a deterrence plan can have negative and unexpected consequences. And just like it's stupid to pick a fight with a stranger,  it's never a sound strategy to threaten an unknown adversary who can operate anonymously and holds the advantage.
  5. Chapter 14 contains a back-handed recommendation to pursue three measures that constitute aggressive offensive action. The commissioners couched it in a bizarre manner by effectively saying that while we don't recommend these things at this time, if the situation doesn't improve, then they should be considered. The measures were for what's commonly called hacking-back, cutting funding to the World Health Organization, and raising tariffs on Chinese goods 150% higher than the amount of IP theft stolen by China. 
Considering how potentially bad if not operationally ludicrous some of these recommendations are, it's not surprising that none of the commission's cyber security experts wanted their names attached to the report. The topic of "active defense" or "hacking back" or "offense as defense" is an important one that needs broad discussion. In fact, I made it the focus of last February's Suits and Spooks DC conference and we'll address it again in La Jolla in two weeks. But it is rife with pitfalls and needs much more informed discussion and debate. The Commission really failed its audience in terms of the content of these last two chapters.

Sunday, May 26, 2013

New 007-inspired logo design for Suits and Spooks

3 weeks before our 6th Suits and Spooks conference (to be held in La Jolla), I'm pleased and proud to unveil our brand new logo created by gifted artist Angela Felan. Angela also created our Chimera logo for a new intellectual property and trade secrets product that Taia Global is developing.

I hope to have some cool Tees or dress shirts in time for the La Jolla conference. Hope to see you there.

Thursday, May 16, 2013

The Focus Areas of 26 Chinese State Key Labs for Information Technology Research

This image is a tag cloud representing the Information Technology focus areas of 26 Chinese State Key Labs. It represents a fraction of the data that we're mining for our Chimera network defense product.

Know The Targets

Monday, May 13, 2013

Boston or New York for the next Suits and Spooks?

We try to host a Suits and Spooks event in different cities (other than Washington DC which remains a constant). Our Boston attendance was quite good last year, however I've been asked several times if we'd host a Suits and Spooks in New York City. What's your preference?

Click here to take survey

Wednesday, May 1, 2013

DOD Using Chinese satellites underscores the need to negotiate a cyber strategy with China

On March 15, 2013 I wrote an article for Slate magazine ("The U.S. response to Chinese cyberespionage is going to backfire") wherein I said:
The anti-China sentiment on the Hill, in the Pentagon, and at the White House clashes with the pro-China business policies of major U.S. companies, including those with very active in-house security operation centers. Beijing surely knows about this disconnect—and that makes the U.S. strategy look weak or inferior.
That was underscored in a big way with yesterday's announcement via the Danger Room blog that the U.S. Department of Defense's need for satellite bandwidth is so great that they have no alternative but to buy satellite time from the China Satellite Communications company.

Leaving aside DOD's justification for it and the steps that they're taking to protect their data from Chinese collection. And also leaving aside the fact that DOD data WILL be collected despite the encryption and that Chinese researchers have compromised 5 of the world's top ten encryption algorithms, the key take-away here is my original point; that sinophobic cold war rhetoric coming from some information security firm officials, western media, and Congress while U.S. businesses and now the Pentagon NEED to work with China makes the U.S look ridiculous and weak. As I wrote for Slate:
A better approach might be for the federal government to quietly encourage U.S. companies to take steps to harden their networks against low-level attacks (which will shrink the attack surface); identify, segregate, and monitor their crown jewels (which will make it harder for any adversary, including China, to steal them); and engage with China and Russia against a mutual enemy (mercenary hacker crews). This eliminates the rhetoric and focuses on collaboration—a requirement, since the U.S. is never going to make good on threats against the single biggest holder of U.S. debt and a vital market for U.S. multinationals.